Notifiable Data Breaches (NDB) Scheme - quick guide

Mandatory data breach reporting is now a reality in Australia for many organisations. It is now the LAW to report certain data breaches. Known as the NDB scheme, it means that organisations need to think about their preparation and response to a potential cyber attack. The law also aligns our country with the EU, UK, Japan and some US jurisdictions.

For hospitals, aged care providers, schools and other organisations that store large amounts of data, the implications of not reporting a data breach that has affected the privacy of individuals can potentially be very expensive indeed.

All Australian companies that are currently subject to the Privacy Act must comply with the law

If an organisation becomes aware there has been an ‘eligible data breach’ it may have to notify the Privacy Commissioner and affected individuals.

If someone has gained unauthorised access to systems within an organisation and disclosed data, or caused the loss of personal information that may seriously harm individuals, organisations may have to notify that individual and The Office of the Australian Information Commissioner (OAIC).

What should you do if you think there may be a data breach in your organisation?

It depends on the circumstances, but the notification must include recommendations about the steps that staff have taken in response to the breach.

Notify the OAIC

Notify all individuals to whom the data breach relates

Notify only individuals at risk of serious harm

If notifying individuals is not possible, make a notification public on a website and publicise it via social media or other avenues

The exception to this is if effective 'remedial action' has been taken before the breach causes serious harm.

Caroline Hogan is an Associate Lawyer at Ashurst, a leading international law firm connected to a global network representing many blue-chip multinationals. Hogan was asked to clarify some of CCI clients’ legal concerns around Notifiable Data Breaches (NDB) at the recent CCI Cyber Focus Forum in Melbourne. The question of whether or not an organisation is likely to be penalised if they are unaware of a data breach appears a typical worry among people who are still learning about data security matters.

“It won’t mean anything if an organisation hasn’t notified the Commissioner about a data breach if they aren’t actually aware that they have had a breach. If someone in a parish, or a school for example, knew about a data breach but didn’t report it then it depends on what their role in the organisation is. It’s the organisation that has to become aware of a breach,” explains Hogan.

She also notes that an organisation needs to have information to suspect a breach has occurred before they report it.

“You need to conduct an assessment to see if the breach is notifiable. If the answer is yes, then you need to make a statement to the Australian Information Commissioner. If it’s practical to do so, notify each individual affected by the breach. You do that by email or newsletter, even using Twitter will get the notification out there.”

She also suggests that organisations revise their current insurance policy. In a worst case scenario where damage to an individual(s) results in legal action, Hogan says “it will be useful to know if legal fees are covered in an insurance policy.”

Will having cyber security insurance help?

With the advent of cybercrime, and its alarming ability to wreak havoc across interconnected communities, organisations are starting to place insurance coverage at the centre of their strategic risk management plans.

CCI’s John Morrow, Manager, Solutions is aware of the difficulties people have in navigating regulatory changes while monitoring industry developments to help become more risk averse.

“For many clients, staying up-to-date with the latest cyber security threats and legal issues can appear daunting but there are steps clients can take to protect themselves. Implementing risk and vulnerability assessments to identify what information or data needs to be protected, even among your external partners, as well as having cyber security governance frameworks in place with relevant compliance monitoring are good first steps,” says Morrow.

He describes the impact of the Australian Red Cross data breach in 2016, when the personal information of more than half a million blood donors was leaked through a massive data breach. Some of it contained information about "at-risk sexual behaviour" and the ABC reported it at the time to be Australia's largest security breach.

The breach was eerily similar to the National Health Service (NHS) cyber attack in the UK the following year, in which simple human error played a key role. The NHS had failed to update old software and that might have made a difference. The Red Cross dropped the ball because of the actions of a third party provider's employee. The Australian Information and Privacy Commissioner who investigated the breach, a representative Timothy Pilgrim, concluded that data was saved to a publicly accessible portion of a webserver managed by an employee of the third party provider. The breach was discovered by an individual who contacted a cyber security expert, but the horse had already bolted.

How the Red Cross managed the aftermath would be critical. They acted straight away and confirmed that a copy of the data file held by the individual had been deleted by the internet service provider. Not only did they notify all those affected in a timely manner, they also did a risk assessment of the leaked information and had a forensic analysis carried out on the compromised server to track evidence of it being used and sold.

“Even with this model response, the Commissioner found that the Red Cross had failed to put in place some contractual procedures to make sure their service provider had sufficient security arrangements of their own,” explains Morrow.

The Red Cross followed up by engaging an independent reviewer to assess their third party management reporting. Presumably, both Red Cross and their provider now have a renewed privacy and data protection position among their industry peers.

But data breaches vary by type and are becoming more devastating as they grow in sophistication, financial cost, and reach. Hackers steal credit and debit card information, addresses, email addresses and they use numerous techniques to inflict damage to business. When hackers steal data, they often use it for identity theft and for ransoms.

Are there warning signs to suggest a data security breach?

Hackers will use the following ways to dig deep holes in data storage systems. Here are the basic terms used to define malicious acts using technology:

Hacking

Access is gained by using technology to invade a computer, mobile device or network to get hold of personal information or sensitive data.

Phishing

Through email campaigns, all it takes is one click on a malicious link and hackers can steal data containing the payment details and personal information of patients, customers, or students. Scammers send emails that look like they are from a legitimate business such as a bank. Be mindful of any requests for credit card information, or for verification of personal information.

Whaling and spear phishing

A more sophisticated scammer can target a business by name and with confidential details they stole from somewhere else. Its purpose is to look more real and lure a business into thinking there is a legitimate need for information.

Malware and ransomware

Once they have gained access through phishing, the bad guys can install malware (evil software) that gathers encrypted data including private information, Visa and MasterCard payments for example.

The use of malware infects a computer with tools that redirect the user in their search for a website. Some links within a scam email will direct readers to a fake website. Sometimes malware simply corrupts a search function.

What’s the worst that could happen from a data security breach?

Reputational damage is very difficult to recover from. For hospitals and universities reputation is critical to an organisation’s competitive position in the market.

Financial costs after a breach can result in a decline in profits or drop in revenue, and incurred costs for damage control.

Business disruption can be devastating for an organisation, and the aftermath can result in resignations or permanent career damage for senior leaders.

Legal investigations and liability can come about through the attention of regulatory committees, the Australian Securities and Investments Commission (ASIC), various government bodies and the Federal Trade Commission, to name a few.

Legal costs may result from class or individual legal actions and these are usually driven by financial institutions, consumers and other shareholders.

How do organisations start to take action to protect data right away?

Managing the obligations and agreements with third party service providers requires a close look at contractual provisions and a focus on due diligence. Organisations need to know where their data is stored and who can access it.

Identifying and measuring risks to data storage security have seen some organisations invest in ‘alerts’ software, and most organisations run regular systems audits.

Directors' duties and risk or compliance officers need to have a clear understanding of the cyber security systems for which they are responsible, and all personnel need to have an awareness of their role in protecting data.

Organisations are under pressure to meet the minimum in industry standards but should strive to match best practices that comply with international standards.

The Boards and directors are the first responders in the fight against cyber security attacks that can result in stolen data. How cyber security smart an organisation is will determine how safe their digital assets are.

Caroline Hogan is a Senior Associate in Ashurst's Digital Economy Group in Melbourne advising on a wide range of technology, commercial and telecommunication matters including: privacy, outsourcing, cloud computing, software and IP licensing, and commercial contracting for both public and private sector clients. Caroline also has vast experience advising on IT and privacy issues having worked in London for the firm providing IT, IP and data protection advice. Before joining Ashurst in 2014, Caroline worked for a leading national law firm in Canberra in the Government advisory practice assisting on large scale IT, telecommunications and commercial procurement and outsourcing. She was a panel member for CCI’s 2018 Cyber Focus Forum.